pony | d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5

General

Target

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe
Size

79KB
MD5

9b4b0702dedf1fc055d5e6833657c6c9
SHA1

c92e722fd532aa5e67d1e5a2be27d3861efbc282
SHA256

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5
SHA512

5f04b9d84bd8aa722bd654e2650652f4b19873ddd8518cba94e8d6e0c2ff7df66f5f996eebb5d0df8afe19f4cf45bda08a6f3b9390a0c37a49f187cbba92f94e
SSDEEP

1536:Pfyn9b9lTxiW6+SsNWmDBE6G72YHG3C8U1/HYYdH+Y:PfC9lNE+SUpOEyGS8gN9

Score

10^/10

pony collection persistence rat spyware stealer upx

Malware Config

Extracted

Family

pony

C2

http://indo.3eeweb.com/1/1/gate.php

Signatures

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4356-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4356-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4356-142-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4356-144-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4356-146-0x0000000000400000-0x000000000041C000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	svchost.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\side = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\side.exe"	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe

description	pid	process	target process
PID 1672 set thread context of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe

pid	process
1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe
1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

Processes:

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe
Token: SeImpersonatePrivilege	4356	svchost.exe
Token: SeTcbPrivilege	4356	svchost.exe
Token: SeChangeNotifyPrivilege	4356	svchost.exe
Token: SeCreateTokenPrivilege	4356	svchost.exe
Token: SeBackupPrivilege	4356	svchost.exe
Token: SeRestorePrivilege	4356	svchost.exe
Token: SeIncreaseQuotaPrivilege	4356	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	4356	svchost.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exesvchost.exe

description	pid	process	target process
PID 1672 wrote to memory of 3172	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 3172	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 3172	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 1312	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 1312	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 1312	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	CMD.exe
PID 1672 wrote to memory of 4736	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4736	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4736	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 1672 wrote to memory of 4356	1672	d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe	svchost.exe
PID 4356 wrote to memory of 3360	4356	svchost.exe	cmd.exe
PID 4356 wrote to memory of 3360	4356	svchost.exe	cmd.exe
PID 4356 wrote to memory of 3360	4356	svchost.exe	cmd.exe

outlook_win_path 1 IoCs

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	svchost.exe

C:\Users\Admin\AppData\Local\Temp\d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe
"C:\Users\Admin\AppData\Local\Temp\d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:3172

C:\Windows\SysWOW64\CMD.exe
"CMD"
2⤵
PID:1312

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
PID:4736

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:4356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240620265.bat" "C:\Windows\SysWOW64\svchost.exe" "
3⤵
PID:3360

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

2

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\240620265.bat

Filesize
94B

MD5
3880eeb1c736d853eb13b44898b718ab

SHA1
4eec9d50360cd815211e3c4e6bdd08271b6ec8e6

SHA256
936d9411d5226b7c5a150ecaf422987590a8870c8e095e1caa072273041a86e7

SHA512
3eaa3dddd7a11942e75acd44208fbe3d3ff8f4006951cd970fb9ab748c160739409803450d28037e577443504707fc310c634e9dc54d0c25e8cfe6094f017c6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\side.exe

Filesize
79KB

MD5
9b4b0702dedf1fc055d5e6833657c6c9

SHA1
c92e722fd532aa5e67d1e5a2be27d3861efbc282

SHA256
d466209a4cce9d51201dd1605e74c5a33c6691002916480858477a7e4ed8afd5

SHA512
5f04b9d84bd8aa722bd654e2650652f4b19873ddd8518cba94e8d6e0c2ff7df66f5f996eebb5d0df8afe19f4cf45bda08a6f3b9390a0c37a49f187cbba92f94e

Download Submit
memory/1312-134-0x0000000000000000-mapping.dmp

Download
memory/1672-143-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-132-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/1672-140-0x00000000753F0000-0x00000000759A1000-memory.dmp

Filesize
5.7MB

Download
memory/3172-133-0x0000000000000000-mapping.dmp

Download
memory/3360-145-0x0000000000000000-mapping.dmp

Download
memory/4356-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4356-142-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4356-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4356-144-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4356-137-0x0000000000000000-mapping.dmp

Download
memory/4356-146-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4736-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads